Summer SOTI - DDoS by the numbers

The State of the Internet / Security report has been the home for Akamai's research on DDoS, attack traffic and Internet threats for over three years. While the report has evolved and expanded its scope considerably over that time, the content and how it's presented have only seen moderate changes. But as of the Summer 2018 Web Attack report, you'll see significant changes in how we present this content.

The first and possibly most noticeable change is moving some of the statistical graphs out of the report and into the blog. Eventually we plan to move from static representations to API-driven graphics that automatically update with the latest information as it happens. This post covers the first half of our graphics, based on our DDoS data, and includes information on attack vectors, attack size, and who's being attacked. Our next post will cover Web Application Attacks.

DDoS Activity

One of the most important changes in our data reporting is a shift from quarterly to semi-annual reporting. With rare exceptions, such as when a new attack type is discovered, the attack statistics change slowly over time. We still provide weekly and monthly resolution in many of the graphs, but won't be reporting the data as frequently.

The following tables and plots represent statistics from November 1, 2017, through April 30, 2018, though several are aimed at providing a longer-term view of the data. Our data is collected from the attack reports submitted after each attack and represents the expertise of our Prolexic team. Akamai saw 7,822 DDoS attacks during this time period.

Layer 3 and 4 attacks continued to account for the vast majority (99.1%) of the DDoS attacks seen by Akamai. This is unsurprising since creating a volumetric attack using reflectors or botnets is more economical than creating an attack on the application layer. UDP fragment floods continue to account for nearly a third of all DDoS attacks seen by Akamai. This reflects the fact that fragmentation traffic is a common tool in its own right, and is also a significant factor in other UDP attacks where large packets are fragmented into smaller packets.

DNS floods (17%) and Connection-less Lightweight Directory Access Protocol (CLDAP) reflection (13%) attacks account for nearly another one-third of the attacks recorded this period. CLDAP has been a popular component of many attacks does not appear to be going away any time soon.

Reflectors, such as DNS, NTP, CharGEN, and SSDP will continue to be a large component of attack traffic because of the number of exposed systems on the Internet. We cover the use of memcached as a reflector and amplifier for DDoS in the Summer 2018 Attack Spotlight, but after its huge splash at the end of February, efforts by defenders seem to have been effective in sidelining this vector as a serious threat.

The longer-term view of these attack vectors highlights the spikes in attacks in June and August of 2017. 2018 appears to have started with a minor increase in attacks compared to 2017, but it remains to be seen if this will translate to more attacks overall as the year progresses.

We like pulling out the Attack Density and Trends plot at a regular interval, because it highlights aspects of DDoS traffic that a simple count may miss. Perhaps the most important takeaway from this plot is that, after nearly a year of decline, the median size of attacks has nearly returned to where it was at the beginning of 2017. One might be tempted to think this was because of the extreme size of the memcached attacks, but this is why we use the median as our index, rather than the average; we don't want a single outsized attack to skew our careful analysis.

Date

Jan 2016

Jul 2016

Jan 2017

Jul 2017

Jan 2018

Apr 2018

Median Attack Size

1230 Mbps

965 Mbps

896 Mbps

616 Mbps

782 Mbps

1287 Mbps

The plot contains a significant amount of information encoded in multiple ways. Note that each major demarcation on the y axis represents a tenfold growth in attack size. Color was used to represent the density of attacks; bright yellow and green show the size of the most common attacks, while violet and indigo represent attack sizes that are rarely seen. The trend lines represent the 5th, 25th, 50th, 75th, and 95th percentile of attacks (read from bottom to top). In other words, the black line indicates the 50th percentile, where half of all attacks are smaller and half are larger. Fully 95% of all attacks seen by Akamai are less than 10 Gbps -- something to think about when it's time for the annual threat review.

The gaming industry has continued to be the single largest target of DDoS attacks that Akamai defends against. The majority of these attacks appear to stem from the people using systems affected by the attacks. In other words, it's mainly gamers attacking the sites out of frustration or hoping to gain an edge on their competitors. Telecom and financial services organizations come in a distant second and third in the target ranking.

Once attacked, it is extremely likely an organization will be attacked again. During the most recent six-month period, companies that were attacked were targeted 41 times on average, with one organization suffering from 884 DDoS attacks in that time frame. Is your organization prepared to defend against five attacks every day? While this may seem extreme, it is rare that a DDoS attack is a singular event, so once an organization has been attacked, it needs to be prepared for follow-up threats.

So where are all these attacks coming from? The answer is complicated. We saw 30% of all attack traffic coming from the U.S., followed by China and the U.K. But that doesn't mean the attackers are actually in the U.S. Or China. Or the U.K. Reflection attacks, botnets, and the ease of spoofing with UDP mean that determining the location of the attacker is difficult based simply on the traffic the defender sees. Tracing the DDoS traffic back to the attacker is difficult, expensive, and time consuming, not to mention unprofitable.

Top 10 Source Countries for DDoS Attacks, November 2017 - April 2018

Country

percentage

source IP count

U.S.

30

46,137

China

16

24,831

U.K.

5

7,840

India

4

5,975

Spain

3

5,237

Russian Federation

3

4,964

Brazil

3

4,877

Korea

3

4,820

Japan

3

4,499

Ecuador

2

3,483

other

28

43,487

Our next blog post will look at application layer attacks such as SQL injection, cross-site scripting, and similar attack traffic. Here's a spoiler: SQLi attacks are still the most common type of application attack. Shocking.

We're Social

Akamai secures and delivers digital experiences for the world’s largest companies. Akamai’s intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps, and experiences closer to users than anyone — and attacks and threats far away. Akamai’s portfolio of edge security, web and mobile performance, enterprise access, and video delivery solutions is supported by unmatched customer service, analytics, and 24/7/365 monitoring. To learn why the world’s top brands trust Akamai, visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our global contact information at www.akamai.com/locations.